CVE-2025-54366
Published: 26 July 2025
Summary
CVE-2025-54366 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Freescout Freescout. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely patching of the deserialization flaw fixed in FreeScout version 1.8.186 to prevent RCE exploitation.
Requires validation of user-controlled attachments_all and attachments POST parameters at the /conversation/ajax endpoint to block malicious serialized objects.
Enables vulnerability scanning to identify systems affected by CVE-2025-54366 for subsequent remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in a public-facing web app directly enables RCE via exploitation of the vulnerable endpoint.
NVD Description
FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). In versions 1.8.185 and below, there is a critical deserialization vulnerability in the /conversation/ajax endpoint that allows authenticated users with knowledge of the…
more
APP_KEY to achieve remote code execution. The vulnerability occurs when the application processes the attachments_all and attachments POST parameters through the insecure Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This flaw enables attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application. This is fixed in version 1.8.186.
Deeper analysisAI
CVE-2025-54366 is a critical deserialization vulnerability (CWE-502) affecting FreeScout, a lightweight open-source help desk and shared inbox built with PHP and the Laravel framework. The flaw exists in versions 1.8.185 and below, specifically within the /conversation/ajax endpoint. It stems from the insecure Helper::decrypt() function, which processes the attachments_all and attachments POST parameters and performs unsafe deserialization of user-controlled data without proper validation, enabling attackers to create arbitrary objects and manipulate their properties.
Authenticated users with knowledge of the application's APP_KEY can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation leads to remote code execution, resulting in complete compromise of the web application with high impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The issue is addressed in FreeScout version 1.8.186. Security practitioners should upgrade to this version for mitigation. Additional details are available in the GitHub security advisory at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-vcc2-6r66-gvvj and the fixing commit at https://github.com/freescout-help-desk/freescout/commit/9669c57f1ddbee896752d9e16270abfd97b20eb9.
Details
- CWE(s)